The Web    Google
Beating back viruses

Beating back viruses
October 1, 2001

Anna Kournikova, Love Bug, Code Red, Sircam and now Anthrax - the (flawed) worm - brought to you by those fun-loving pranksters of cyberspace.

I can't stand it anymore. I've been trying to avoid writing about worms and viruses, figuring there were plenty of pundits covering the topic to death. But just in case, I started collecting tidbits of information a few weeks back that I thought might be helpful in beating back all manner of viruses, worms and Trojans. Now my collection has reached critical mass, and it's time to spill my virus guts.

Let's start with a simple, but effective method: if a system is infected by a worm that is spreading to other systems via the Internet, disconnect said system from said Internet.

This advice comes from M.E. Kabay, in a recent issue of a security newsletter he writes for Network World. ( Kabay, an associate professor in the Department of Computer Information Systems at Norwich University in Northfield, Vt., had a back-and-forth discourse with a woman whose infected computer was repeatedly sending him files. The woman knew the machine was infected and was working with her IT department to fix it. Kabay "emphatically" urged her to unplug her machine, which she did. Kabay received no more files from her.

Kabay's advice for how IT folks should deal with computer infections makes good horse sense:

  • Instruct users to report all suspected malicious software infections at once.
  • Never criticize a user for a false positive (thinking there's a virus when there's not).
  • Tell users to disconnect their possibly-infected systems from access to all networks immediately.
  • Resolve the problem using updated antivirus software and appropriate disinfection techniques, and only THEN reconnect the system to the Internet.

Of course, it's better not to get infected in the first place. Besides being diligent about updating your antivirus software, you must consistently apply patches for known vulnerabilities. This is where even the most well-intentioned IT organization can fall flat, given the volume of patches to keep up with.

A few products and services are emerging that purport to solve the problem. One is UpdateEXPERT from St. Bernard Software (, which manages the deployment of patches to all enterprise machines. The product also inventories your network to determine which patches you need and searches for appropriate fixes as vendors deliver them.

SecurityFocus (, meanwhile, has just announced its Attack Registry and Intelligence Service (ARIS) Predictor, which it claims can detect when a serious attack is imminent. That service joins the company's existing Security Intelligence Alerts service, which ffers alert data tailored to a company's specific environment. For instance, if you have only Windows NT 4.0 servers, you get only the alert data relative to those machines.

Both services feed off the company's vast collection of vulnerability data, which comes in part from the BugTraq mailing list that SecurityFocus maintains. For ARIS Predictor, the company collects attack data from some 7,000 companies in 138 countries and has a team of analysts examine the data to spot trends. The company claims it can spot a major virus outbreak in its initial stages, while there's still time to alert customers to apply the appropriate patch.

Foundstone ( is due to announce enhancements this month to its FoundScan vulnerability scanning service that will make the service more suitable for enterprise use. According to George Kurtz, co-founder and CEO of the firm, the enhancements will include a portal that pulls together all the vulnerability data the company finds for each customer, enabling them to prioritize their risks and track fixes through the remediation process. Customers will also be able to use the portal to manage the service, including setting up scanning times and parceling out reports to the people applying the fixes.

Kurtz and the other Foundstone co-founder, company President Stuart McClure, are the authors of "Hacking Exposed: Network Security Secrets and Solutions," and are well-known in security circles. They claim Foundstone's vulnerability scanning service goes deeper than its competitors to find such things as dormant Web server code that can still pose security vulnerabilities. Given their reputation, the service seems worth a look.

Gartner Group, meanwhile, made a few headlines recently with a report that urged folks to "immediately investigate alternatives to" Microsoft's Internet Information Server (IIS) because of the Web server's security vulnerabilities. I won't argue that IIS doesn't have more than its share of vulnerabilities, but it's not like changing Web servers cures the security problem; other operating systems and servers have their own issues. Besides, any company that would entertain the notion of ripping out all their IIS servers for fear of security vulnerabilities are likely the same folks who would be diligent about patching those servers as needed, thus protecting themselves. It's everyone else we have to worry about.

Paul Desmond can be reached at

  • 2/21: MyDoom-BE Worm Harvests Addresses
  • 10/21: Rbot-NG Worm Spreads Remotely
  • Time to Trade in Geek Speak for Business Lingo
  • 9/7: Blueworm-D a Memory-Resident Worm
  • Do-Not-Spam List Great For Spammers
  • 8/23: MhtRedir-S Trojan Exploits Flaw
  • Spam Foes Worry New FTC Rule Not Enough
  • MIT Warns of Kerberos 5 Flaws
  • 1/3: Hilin Worm Written in Visual Basic
  • IRS Giving Goods Away
  • 11/22: Swizzor-BQ Trojan Downloads, Runs Files
  • Security Camera Price